本文使用官方etcd镜像生成一个容器,挂载私有自签名证书,并进行功能测试。
一、镜像获取
请见上文:构建后端为etcd的CoreDNS的容器集群(二)、下载最新的etcd容器镜像
建议先进行镜像功能测试:构建后端为etcd的CoreDNS的容器集群(三)、etcd功能测试
二、查看镜像
[root@localhost opt]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
quay.io/coreos/etcd v3.5.16 8523cb381f23 5 weeks ago 59MB
三、创建容器
为便于检查创建参数并进行保存,建议通过脚本进行创建,先进行单容器创建测试。自签名证书统一放置在/opt/etcd/ssl/中,制作方法参见:构建后端为etcd的CoreDNS的容器集群(一)、生成自签名证书
脚本内容如下:
[root@localhost etcd]# cat etcd_docker-withssl_run.sh
docker run -d \
-p 2379:2379 \
-p 2380:2380 \
-v /opt/etcd/ssl/etcd.pem:/etc/etcd/ssl/etcd.pem \
-v /opt/etcd/ssl/etcd-key.pem:/etc/etcd/ssl/etcd-key.pem \
-v /opt/etcd/ssl/ca.pem:/etc/etcd/ssl/ca.pem \
--name etcd-1 \
quay.io/coreos/etcd:v3.5.16 \
/usr/local/bin/etcd \
--name etcd-1 \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
--listen-client-urls https://0.0.0.0:2379 \
--advertise-client-urls https://0.0.0.0:2379 \
--listen-peer-urls http://0.0.0.0:2380 \
--initial-advertise-peer-urls http://0.0.0.0:2380 \
--initial-cluster etcd-1=http://0.0.0.0:2380 \
--initial-cluster-token tkn \
--initial-cluster-state new \
注意2379端口连接方式调整为https,改为创建容器
[root@localhost etcd]# sh etcd_docker-withssl_run.sh
0510a0b57695aea184ee7114c1a95056a36b0ad03a998cdb5d19b34a89ce8775
[root@localhost etcd]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0510a0b57695 quay.io/coreos/etcd:v3.5.16 "/usr/local/bin/etcd…" 6 seconds ago Up 4 seconds 0.0.0.0:2379-2380->2379-2380/tcp etcd-1
四、配置hosts
因为证书配置里的主机清单为 "hosts": [ "etcd-1", "etcd-2","etcd-3","coredns-1","coredns-2","coredns-3","127.0.0.1","localhost"],需要修改本机hosts文件
[root@localhost etcd]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.80.135 etcd-1
五、API健康检查
现在容器内不带证书测试健康状态已无法取到了
[root@localhost etcd]# docker exec etcd-1 /usr/local/bin/etcdctl endpoint health
{"level":"warn","ts":"2024-10-17T03:23:43.158797Z","logger":"client","caller":"[email protected]/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000456000/127.0.0.1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"error reading server preface: EOF\""}
127.0.0.1:2379 is unhealthy: failed to commit proposal: context deadline exceeded
使用https方式并挂载证书,可以正常访问
[root@localhost etcd]# docker exec etcd-1 /usr/local/bin/etcdctl --endpoints=https://127.0.0.1:2379 --cacert /etc/etcd/ssl/ca.pem --cert /etc/etcd/ssl/etcd.pem --key /etc/etcd/ssl/etcd-key.pem endpoint health
https://127.0.0.1:2379 is healthy: successfully committed proposal: took = 23.54756ms
在容器外测试不带证书访问:
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379 endpoint health
{"level":"warn","ts":"2024-10-17T11:11:32.106740+0800","logger":"client","caller":"[email protected]/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00036a000/etcd-1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\""}
https://etcd-1:2379 is unhealthy: failed to commit proposal: context deadline exceeded
Error: unhealthy cluster
[root@localhost etcd]# ./etcdctl --endpoints=http://etcd-1:2379 endpoint health
{"level":"warn","ts":"2024-10-17T11:11:41.867510+0800","logger":"client","caller":"[email protected]/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000468000/etcd-1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"error reading server preface: read tcp 192.168.80.135:35448->192.168.80.135:2379: read: connection reset by peer\""}
http://etcd-1:2379 is unhealthy: failed to commit proposal: context deadline exceeded
Error: unhealthy cluster
带证书访问
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379 --cacert ssl/ca.pem --cert ssl/etcd.pem --key ssl/etcd-key.pem endpoint health
https://etcd-1:2379 is healthy: successfully committed proposal: took = 18.912612ms
结果正常
六、数据存取测试
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379 --cacert ssl/ca.pem --cert ssl/etcd.pem --key ssl/etcd-key.pem get foo
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379 --cacert ssl/ca.pem --cert ssl/etcd.pem --key ssl/etcd-key.pem put foo bar
OK
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379 --cacert ssl/ca.pem --cert ssl/etcd.pem --key ssl/etcd-key.pem get foo
foo
bar
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379 --cacert ssl/ca.pem --cert ssl/etcd.pem --key ssl/etcd-key.pem put www.sina.com.cn 192.168.8.9
OK
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379 --cacert ssl/ca.pem --cert ssl/etcd.pem --key ssl/etcd-key.pem get www.sina.com.cn
www.sina.com.cn
192.168.8.9
可见,携带证书访问etcd数据库正常。